Logo en.artbmxmagazine.com

Model for managing risks in internal audit

Anonim

This chapter is the product of the study of the results of the Supervisions carried out by the author in compliance with the exercise of her functions as Senior Audit specialist exercised as Supervisor and her dual status as Professor of the Discipline of Accounting and Auditing, through which she had the opportunity to confront these research results in practice.

These investigations correspond to a strategy aimed at responding to the problem posed as an object of work in the research design, which were combined as follows:

  • Design and validation of a Model to diagnose risks in the Internal Audit System, which achieves an interrelation between Internal Audit and its Risk Management Design and validation of an Organization Model of the Internal Audit System, with the application of a set of procedures, techniques and tools with a risk approach, to guarantee quality improvements in the Internal Audit process.This chapter is the product of the study of the results of the Supervisions carried out by the author in compliance with the exercise of her functions as a Senior Auditing specialist exercised as Supervisor and her dual status as Professor of the Discipline of Accounting and Auditing, through which she had the opportunity to confront these investigative results in practice.These investigations correspond to a strategy aimed at responding to the problem posed as a work object in the design of the investigation, which were combined as follows: Design and validation of a Model to diagnose risks in the Internal Audit System, which achieves an interrelation between Internal Audit and Risk Management of the same Design and validation of an Organization Model of the Internal Audit System, with the application of a set of procedures, techniques and tools with a risk approach, to guarantee quality improvements in the Internal Audit process.which were combined as follows: Design and validation of a Model to diagnose risks in the Internal Audit System, which achieves an interrelation between Internal Audit and its Risk Management. Design and validation of a Model Organization of the Internal Audit System, with the application of a set of procedures, techniques and tools with a risk approach, to guarantee quality improvements in the Internal Audit process.which were combined as follows: Design and validation of a Model to diagnose risks in the Internal Audit System, which achieves an interrelation between Internal Audit and its Risk Management. Design and validation of a Model Organization of the Internal Audit System, with the application of a set of procedures, techniques and tools with a risk approach, to guarantee quality improvements in the Internal Audit process.techniques and tools with a risk approach, to guarantee quality improvements in the Internal Audit process.techniques and tools with a risk approach, to guarantee quality improvements in the Internal Audit process.

Below is an illustration of how the organization of the Internal Audit process is achieved based on an adequate Risk Management, which is synthesized based on the following steps, finally contributing to the interrelation between them.

Diagnosis and evaluation of risks

This is an Investigation on the exercise of audits in the Internal Audit Unit, executed through the use of different methods; Empirical, theoretical and historical-logical.

The study began in 2005, as part of an analysis process requested by the institution's top management. It covered the supervisions carried out in the years 2003, 2004 and 2005, inclusive.

This design was carried out with the support of experts in this field who were in charge of advising and directing the area.

2.1. Model Design

2.1.1. Policy of the Internal Audit Department (UAI)

1. The risks will be identified in each of the Audit sub-processes and all the documentary evidence of their administration will be collected in a file authorized for this purpose.

2. Those responsible for the process will in turn have the obligation to report the risks observed in said process.

3. Those responsible for the process will implement and give permanent continuity to the guidelines that are dictated in the design of the Methodology for Risk Management in the Internal Audit Department

4. The Internal Audit Department together with the Control Committee will be the In charge of checking that the work to be carried out in the treatment of risks is carried out.

5. The process managers will have the following functions:

Initiate actions to prevent or reduce the adverse effects of risks.

Maintain control of each risk until it is considered in the ACCEPTABLE category.

Identify, register and publicize each new risk.

Promote solutions to the risks dealt with and verify them.

Issue the corresponding communication, as appropriate, of the risk incidents in the process.

Permanently update the risk map of the process.

Keep the Process Risk File updated with all the documentary evidence regarding the treatment of risks.

6. The risk assessment will have three levels:

Acceptable.- Risk is considered acceptable when current controls can be maintained following routine procedures.

Moderate.- The risk is moderate when actions to reduce harm must be carried out and who is responsible for their implementation must be specified.

Unacceptable.- Risk is considered unacceptable when actions to reduce impact and probability must be taken immediately to mitigate the severity of the risk. The responsibility, compliance date and review date will be specified.

2.1.2. Diagnosis of the Internal Audit process

The Organization Model was conceived based on the Value Chain of the Audit process, shown in the previous Chapter.

The design to diagnose risks in the Internal Audit process consists of:

a) Define risk assessment criteria

b) Carry out the diagnosis of the Internal Audit exercise

1. Detail the tasks to be executed in each sub-process

2. Identify the risks in each sub-process

2. Evaluate the risks of each sub-process

3. Prepare the Risk Map.

c) Design the Organization Model of the Internal Audit process, with a risk approach

a) Definition of risk assessment criteria

The steps to be followed in the treatment of the risks will be those described below:

  • Identification Analysis Evaluation Supervision and Monitoring Communication and Consultation

Identification.- Risks will be identified, in the vulnerable points of each sub-process, taking into account the various sources that can originate them and the possible manifestations of their occurrence. It will be detailed if your source is internal or external. It should be understood to be registered:

  • What is the risk How can it manifest itself Why What controls are in place at that time to counteract its effects.

Analysis.- Part of the analysis that is carried out, to the risks identified, in terms of the consequences and probabilities of their occurrence.

  • Probability Impact

Risks are analyzed by combining impact estimates and their probability of occurrence, in the context of existing control measures, assessing the strengths and weaknesses of each one. If any risk is excluded, it should be mentioned in the analysis. By combining the consequences of an event occurring with the probability of it occurring, a level of risk is determined.

Evaluation. The Risk Levels in the Internal Audit Department will be the following:

  • Acceptable Moderate Unacceptable

The sources of information that can be used for these purposes are:

  • Statistical data Experiences Daily practice Relevant data from publications Checks carried out by market research Results of experiments Established models Opinions and judgments of experts and specialists

The techniques to analyze risks, among others, can be:

  • Interviews Expert groups Individual questionnaires

Supervision and Monitoring. It is necessary that the risks and the effectiveness of the control measures of each one, be monitored and supervised to be sure that the changing conditions, both internal and of the environment, do not alter the priorities of their treatment. It also contributes to the identification of new sources of risks and therefore the beginning of the treatment of the new identified risks.

Communication and Consultation. In each step of the risk management process it is important to maintain adequate communication with the interested parties. At each step there must be a way to communicate the work being done with the hazards.

This communication must be foreseen in both directions, that is, it will not only be conceived as a flow of information towards the interested parties, there must be feedback from the issuer with the criteria of all those involved, so that there is communication on the control exercised, that is say information from the Supervisors to the corresponding levels, including the auditor, and advice in order to achieve improvements in the exercise of Internal audit.

b) Diagnosis of the Internal Audit process

b-1. Tasks to be executed in each sub-process and identification of risks

In order to diagnose the internal audit process and identify the risks in the process, the study must be carried out based on the tasks provided for each sub-process, and the risks determined.

For this, a Standard must be used, the one shown below:

Once the risks are known, the process of evaluating them must begin, which requires the following steps:

b-2. Classification of risks

Evaluation.- It is the result of comparing the established risk levels with the pre-established criteria for its evaluation. In this case the criteria are the following:

a) Probability of occurrence of Risk

b) Impact upon occurrence of Risk.

For it:

  • the probabilities of occurrence must be determined in:

a) Uncommon (FP)

b) Moderate (M)

c) Frequent (F)

Uncommon: when the Risk occurs only in exceptional circumstances.

Moderate: It can happen at some point.

Common: Expected to occur in most circumstances.

  • The Impact before the occurrence would be considered as:

a) Mild (L)

b) Moderate (M)

c) Large (G)

Mild: Tolerable harm. Low financial loss.

Moderate: Requires a differentiated treatment: Medium financial loss.

Large: Requires differentiated treatment. High financial loss.

The Risk assessment would be:

Acceptable: (Low risk). When current controls can be maintained, following routine procedures.

Moderate: (Medium Risk). They are considered Acceptable risks with Control Measures. Damage reduction actions must be undertaken and the responsibilities for their implementation and supervision must be specified.

Unacceptable: (High Risk). Impact and Likelihood reduction actions must be taken immediately to mitigate the severity of the risk. The person in charge and the date of the systematic review will be specified.

If you want to evaluate the Impact of Risks on a sub-process, a Standard is used, which is shown below:

To evaluate, the Standard is used, where all the risks of each of the previously diagnosed sub-processes are identified, and they are evaluated in accordance with the provisions above.

The risk assessment provides the list of priorities for the treatment of risks through the actions to be followed in each case.

The objectives of the organization and the degree of opportunity that can be achieved as a result of dealing with risk must be taken into account. The degree of benefit for the parties involved will also be taken into account.

b-3. Risks Map

After evaluating all the risks, they are placed in the quadrant of the Map that corresponds to them according to the Matrix. It is a well-known and widely used technique, as a working tool, graphic representation.

It is illustrated below:

Illustration No. 6. Risk Levels (Matrix)

As can be seen, the above graph illustrates the quadrants where these Risks are located according to their Impact and Probability of Occurrence, and their color identifies the Evaluation thereof, which does not mean that all Risks are not taken into account in the Measurement Plan., since the monitoring of all those identified and the Action Plan of each one must be maintained.

The options to take into account to undertake risk reduction actions can be:

  • Avoid it Reduce probability of occurrence Reduce consequences Transfer risk Retain risk

These options should then be evaluated and the cost benefit of the risk treatment decision taken into account.

Risk treatment plans will be drawn up. In them, the following will be taken into account:

  • The risk in order of priority Possible treatment options Level that the risk acquires after being treated Result of the cost benefit analysis Responsible for undertaking the action Implementation schedule How it will be monitored

And of course many others, which can be derived from a casuistic analysis in a UAI.

The Action Plan would be in correspondence with the type of risk, with the organization where the service is carried out, with the type of audit, with the sub-process that is carried out and of course with the auditor or assistant that executes it.

Vital importance is the domain of the activity, the monitoring in the successive execution on the management of future actions and the systematic supervision at different times of the audits in correspondence on the incidence of the past or repeated risks in the sub-processes with the greatest impacts. The Internal Audit Organizations must prepare Action plans that contribute to the auditor's preparation regarding the performance of the profession.

Action plan

The Action Plan would be in correspondence with the type of risk, with the organization where the service is carried out, with the type of audit, with the sub-process that is carried out and of course with the auditor or assistant that executes it. Vital importance is the domain of the activity, the monitoring in the successive execution on the management of future actions and the systematic supervision at different times of the audits in correspondence on the incidence of past or repeated risks in the sub-processes that have the greatest impacts. have been observed.

Due to the impact that the occurrence of the risks observed in the investigation produces today, an Action Plan must be drawn up in which it is proposed, fundamentally

  • The design of an Organizational Execution System for each of the audit sub-processes Train audit professionals in theoretical-practical training that guarantees quality in the exercise of their functions Evaluate the results of the supervisions Maintain surveillance of the possible commission of risks in the systematic development of the audit exercise Monitor compliance with the Value Chain by each professional, etc.

Responsible:

  • Audit Department Supervisor Group Head Auditor

Standards:

It consists of Guides, with certain aspects to be evaluated, for each sub-process, which must conclude with an evaluation, which must be classified according to the probability of occurrence and the Impact before it.

  • In addition to being summarized, it must be represented in a graph, in order to develop the consequent Action Plan to reduce the probability of occurrence.

Controls:

The behavior of each thread and for each work area must be evaluated frequently.

It is important to establish a control system in this Value Chain, where all the Audit sub-processes are necessary to achieve an effective and efficient service, with the expected quality requirements. An efficient risk management would then be a scientific approach to its behavior, anticipating possible accidental losses with the design and implementation of procedures that minimize the occurrence of losses or the financial impact of the losses that may occur.

The following shows the results of the validation of the Risk Assessment and Diagnosis Model set out above.

2.2. Model validation

2.2.1. Diagnosis Results

As stated above, the investigation was based on the study carried out on the Supervisions carried out in a period of three years to different professionals in the exercise of certain audits.

To carry out the diagnosis, it was necessary to carry it out, starting from the logistic flow of the Value Chain from each Audit sub-process in the Internal Audit Organization of the Copextel SS Corporation, where we indicate the most important tasks to be carried out in each of these, in this service, which as a fundamental process is carried out by this organization, and mention is made of risks in the fulfillment of different tasks, and possible in any organization that provides audit services, applying the standard proposed in the Design.

In the study, the seven sub-processes proposed by the author in this research were diagnosed, tasks based on criteria with specialists from the Audit Directorate and UAI auditors, from different provinces, as well as experts on the subject. Undoubtedly, not everything is written and it is only a first intention of study since the process is not a unique scheme, in each area of ​​action the Model must be adapted, since the guarantee of the design must be able to adjust to the environment with its specific characteristics and conditions.

The result of this Diagnosis, Evaluation and Map of the Risks of the Internal Audit process of the UAI under study are illustrated in Annex No. 1, 2, and 3, which is attached at the end of the Investigation Report.

Due to the impact produced by the occurrence of the risks observed in the investigation, an Action Plan was drawn up in which it was proposed, fundamentally:

  • The design of an Organizational Execution System for each of the audit sub-processes.

Of course it was necessary to achieve a proper implementation:

  • Train audit professionals in theoretical-practical training that will guarantee quality in the exercise of their functions, based on the procedures, techniques and tools provided for in the Model Systematically evaluate the results of the supervisions carried out on the Auditors, in various audits. Maintain vigilance of the possible commission of risks in the systematic development of the audit exercise. Monitor compliance of the Value Chain by each professional. Etc.

To comply with the Action Plan, proposed by the author, an Organization Model of the Internal Audit System was prepared, carried out with a risk approach, in which the following were also provided:

  • Work objectives Responsible for execution Standards Controls to be carried out And also includes a glossary of Terms

The results obtained to date are validated by the different institutions, which are supported as guarantees of their application in Annexes at the end of the Research Report, among which are:

  • Its practical application as an Internal Audit manual, in the UAI, object of study those that correspond to the Object of investigation and field of action respectively. Study of application of the Territorial Audit Delegation of the Sancti Spiritus province. Use as Bibliography in the teaching of ten Postgraduate Audits at the Sancti Spiritus “José Martí” University Center and three of the modules taught as Auditing Diplomas that are carried out in a Requalification Program for UAI auditors of the entity under study, developed in the Western Zone, Central Zone and Eastern Zone. Scientific Session Opinion of the Sancti Spiritus “José Martí” University Center, as a Topic to aspire to the Scientific Degree of Doctor of Science.Certificate of approval of the subject by the Academy of Sciences Several of the notifications of study and consultation of professionals and students from certain Latin American countries who access the Publications of different Publications made on Internet sites. Certificates of Publications of different related subjects with the designed organization model. (13) Participation in the ANEC Municipal Economic Forum (2007) with a rating of Relevant.(13) Participation in the ANEC Municipal Economic Forum (2007) with a rating of Relevant.(13) Participation in the ANEC Municipal Economic Forum (2007) with a rating of Relevant.
Model for managing risks in internal audit
Accounting

Editor's choice

The seasons of the year and the stages of life

The seasons of the year and the stages of life

Work teams in process management

Work teams in process management

Statistics applied to the definition of management indicators

Statistics applied to the definition of management indicators

Statistics applied to business

Statistics applied to business

Current status of wineries in Peru

Current status of wineries in Peru

Statement of changes in financial position

Statement of changes in financial position

© Copyright en.artbmxmagazine.com, 2024 October | About site | Contacts | Privacy policy.